[pkg-apparmor] Bug#826218: Bug#826218: Bug#826218: Complain still interferes

Christian Boltz apparmor-debian at cboltz.de
Sun Jun 5 23:14:08 UTC 2016 

Hello,

Am Sonntag, 5. Juni 2016, 13:34:19 CEST schrieb Guido Günther:
> On Sat, Jun 04, 2016 at 06:38:46PM +0200, Christian Boltz wrote:
> > deny rules are enforced even if you switch the profile to complain
> > mode, and don't leave any log events behind. You might want to
> > change them to"audit deny" temporarily to get log events (with
> > AUDIT).
> 
> I did not know. Thanks! IMHO this needs to be mentioned in the
> aa-complain manpage to fulfill the "no PhD in computer science needed
> for" promise.

Good point. I just commited an updated manpage upstream (will be in 
2.11, 2.10.2 and 2.9.4 whenever they get released).

> The issue turned out to be environment scrubbing:
>    
> https://www.redhat.com/archives/libvir-list/2016-June/msg00117.html
> 
> but I think the issue is still valid: getting an idea what gets
> dropped to the floor is too hard atm. With complain mode I'd exepct:
> 
>     * denials logged by default

The whole point of deny rules is to silence the logging  (except if they 
also have the audit keyword).

You can enable the logging by adding the audit keyword, but the general 
rule is not to log anything that is already handled (allowed or denied) 
in the profile.

>     * a way to audit calls to subprocesses indicating whether the
>       environment was scrubbed or not

You'll get this information by reading the profile ;-)   It already had 
"/usr/sbin/* PUx" [1] which also allowed /usr/sbin/virtlogd - but with 
environment scrubbing.

I'm CC'ing another upstream developer, but I wouldn't be surprised if he 
tells you the same ;-)

@John: Do you have a different opinion on Guido's points?

>     * other stuff I might not even know about yet like DBus denials …

Actually I can't tell you too much about DBus because only the Ubuntu 
kernel has DBus support for AppArmor (it's not upstreamed yet), and I'm 
using openSUSE ;-)


Regards,

Christian Boltz

[1] I'm not sure if this rule (and the other broad PUx rules) are a good 
    idea [2], but a) I don't know libvirtd good enough to judge on it
    and b) that's a totally different topic ;-)

[2] These PUx rules allow to execute _all_ programs, and most of them
    unconfined (except if a profile for this program exists). 
    I slightly ;-) doubt libvirtd needs to execute all of them...

-- 
[bugzilla is] being as co-operative as a 2 legged donkey
pulling a 10 ton tractor under attack by an army of bees
[Richard Brown in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20160606/510824c2/attachment.sig>

More information about the pkg-apparmor-team mailing list